Two weeks from today, companies that process personally identifiable information of EU citizens will feel the heat of the new data protection law that brings the biggest changes in 20 years to the European Economic Area. That law is the General Data Protection Regulation (GDPR), and it’s a big threat to the bottom line of those found non-compliant after May 25. A GDPR benchmark report focused on the financial sector reveals that investment firms are extremely ill-equipped to face GDPR requirements.
According to a Cordium and AmberGate survey, more than half of investment firms are unlikely to be ready for the GDPR. Alarmingly, one third have yet to make the first step in that direction.
The survey included 279 respondents (likely decision makers at their respective organizations) from different types of investment firms, from hedge funds and private equity firms to private asset managers, fund administrators/custodians, investment banks, corporate entities and exchange/trading venues.
“More than one-in-three respondents have not started their GDPR compliance projects,” reads the report. “Nearly 22% of respondents are only one-third of the way through their program. Firms leaving their compliance responsibilities to the last minute may need to focus on key priorities of their program.”
70% have operations in Europe, followed by North America with 40%, and Asia with 10%. Firms with reported operations in Europe are the most prepared to comply with GDPR. 18% of European companies say they are either two-thirds of the way there, or finished. Less than 2% of firms across all asset classes and geographies could confidently say they were fully compliant when the survey took place.
Questions from investors on a firm’s GDPR compliance program are becoming more common, while the reputational and financial damage stemming from non-compliance in the event of a breach will be colossal, if last year’s Equifax incident is any indication.
Most pressure to comply with the GDPR comes from firms’ internal governance functions, but regulatory pressures are also strong, and customers are mentioned as another influential group in the report.
“This GDPR compliance pressure from investors and customers is likely to rise post-deadline – particularly as firms move into the fundraising part of their business cycle. No firm wants to have to tell an investor or customer that their GDPR compliance program has gaps, or that their overall approach to data security and privacy is not robust. Already, many firms are seeing queries come in from investors and customers about their relative state of GDPR readiness,” according to the report.
And, as other recent studies have found, many organizations will be unable to report a (known) data breach within the allotted 72 hours that Article 33 imposes on companies that suffered a breach. In the finance segment, nearly 59% are not ready to report a data breach within 72 hours, according to the Cordium and AmberGate survey.
The report includes a last-minute recipe for minimum compliance, touching aspects like governance, data subject rights, contracts with vendors and customers, data retention and data breach reporting. If your organization has yet to implement a GDPR compliance protocol, these should be your starting points.